When running this code, the image onerror handler is run. The onerror attribute is not defined in the schema, so why would this be allowed when parsing with the schema?
import { schema as basicSchema } from 'prosemirror-schema-basic';
const domparser = DOMParser.fromSchema(basicSchema);
const element = document.createElement('div');
element.innerHTML =
'<div><img s src c=x on onerror=confirm(document.domain)></div>';
const imageNode = domparser.parse(element, { preserveWhitespace: true });